Renewing an existing personal certificate on AIX, Linux, and Windows

You can renew a personal certificate by using the strmqikm (iKeyman) GUI, or from the command line using the runmqckm (iKeycmd) or runmqakm (GSKCapiCmd) commands.

About this task

If you have a requirement to use larger key sizes for your personal certificates, you cannot renew an existing certificate. You must replace your existing key by following the steps described in Requesting a personal certificate on AIX, Linux, and Windows to create a new certificate request that uses the key sizes you require.

A personal certificate has an expiry date, after which the certificate can no longer be used. This task explains how to renew an existing personal certificate before it expires.

Using the strmqikm user interface

About this task

strmqikm does not provide a FIPS-compliant option. If you need to manage TLS certificates in a way that is FIPS-compliant, use the runmqakm command.

Procedure

Complete the following steps to apply for a personal certificate, by using the strmqikm user interface:

Start the user interface by using the strmqikm command on AIX, Linux, and Windows.
From the Key Database File menu, click Open.
The Open window opens.
Click Key database type and select CMS (Certificate Management System).
Click Browse to navigate to the directory that contains the key database files.
Select the key database file from which you want to generate the request; for example, key.kdb.
Click Open.
The Password Prompt window opens.
Type the password you set when you created the key database and click OK.
The name of your key database file is shown in the File Name field.
Select Personal Certificates from the drop down selection menu, and select the certificate from the list that you want to renew.
Click the Re-create Request... button.
A window opens for you to enter the file name and file location information.
In the file name field, either accept the default certreq.arm, or type a new value, including the full file path.
Click OK. The certificate request is stored in the file you selected in step 9.
Request the new personal certificate either by sending the file to a certificate authority (CA), or by copying the file into the request form on the website for the CA.

Using the command line

Procedure

Use the following commands to request a personal certificate by using either the runmqckm or runmqakm command:

Using runmqckm:


runmqckm -certreq -recreate -db filename -pw 
password -label label
-target filename

Using runmqakm:


runmqakm -certreq -recreate -db filename -pw 
password -label label
-target filename

where:

-db filename: Specifies the fully qualified file name of a CMS key database.
-pw password: Specifies the password for the CMS key database.
-target filename: Specifies the file name for the certificate request.

What to do next

Once you have received the signed personal certificate from the certificate authority, you can add it to your key database using the steps described in Receiving personal certificates into a key repository on AIX, Linux, and Windows.